Biggest data breaches in history

You entrust multiple organizations with your personal data every day, but are they as worried as you are about keeping it secure? Given that more than eight thousand data breaches have been reported since 2004, the odds are that your information has fallen into the wrong hands at some point. Here we reveal the biggest data breaches in history and how you can help mitigate the associated risks.

With a history of almost 9,000 US data breaches over the last 12 years, it’s a safe bet that any electronic information relating to you is either at risk or has already been compromised at least once. As James Comey, the former director of the FBI puts it, “there are two kinds of companies. Those that have been hacked and those that don’t know yet that they’ve been hacked.”

The need for online privacy and anonymity grows with every breach that occurs, and there does not appear to be any end in sight. Every corporation is gathering intel on their customers, clients, and even random people. Large corporations invest billions of dollars every year on data gathering systems, database technologies to store it all, expensive servers with massive amounts of storage, and data analysts to make sense of it.

It’s not just a game for businesses. Intelligence agencies the world over gather and try to make sense of information as their primary agenda. The unfortunate irony here is that many companies seem to lack concern over keeping that information safe and out of the hands of others once they have it. If it does fall into the wrong hands, there are various potential repercussions for those involved, including increased risk of falling victim to crimes such as spear phishing schemes, ransomware attacks, and identity theft.

The list below shows an annual breakdown of the largest of these data breaches, with a minimum of 10 million records at risk of being exposed to unauthorized persons. Note that the total number of reported breaches cited refers to breaches involving US companies or that have affected US customers.

Data breaches by year

2018

In 2018, 700 reported breaches have occurred so far, with 11 of them involving more than 10 million records.

Up to 500 million Marriott International guests may have been involved in this massive breach that began in 2014. More than 320 million customers’ data was breached, including names, addresses, and passport numbers, prompting many angry guests to demand that Marriott pay for the issue of new passports.

In June 2018, marketing and data aggregation firm, Exactis, leaked almost 340 million records onto a server that could be accessed by the public. Information on individuals and businesses was involved, including phone numbers, home addresses, and email addresses.

An estimated 150 millions users of Under Armour’s food and nutrition app, MyFitnessPal, may have had their information exposed. Data involved in the leak is thought to include email addresses, usernames, and hashed passwords.

Fitness software FitMetrix — which was acquired by MindBody earlier in 2018 — was involved in a breach that affected more than 113 million records, though the number of users this correlates to is unknown. The breach was discovered by a security researcher who found that three of FitMetrix’s servers were unprotected and leaking data.

In September 2018, a data security breach was discovered in the form of a bug that allowed attackers to take over control of people’s Facebook accounts. 50 million accounts were known to have been affected, but up to 40 million more could have been involved.

Prior to the above breach, the Cambridge Analytica scandal had come to light. The data analysis firm had accessed and stored the personal data of 50 million Facebook users via a third-party researcher. The acquisition of the data violated Facebook’s terms of service, and as such, represented a massive breach of user information.

Localblox is similar to Cambridge Analytica in that it scrapes information from publicly accessible sources to create profiles. It stored data on an unsecured container, a fact discovered by UpGuard, a cybersecurity research firm. As many as 48 million user profiles were being stored without a password, and although Localblox took immediate action, it’s unclear if anyone else accessed the 1.2 TB of data in the meantime.

40 million users of textbook rental and tutorial company, Chegg, and its family of brands were informed in September 2018 that their personal data may have been exposed to an unauthorized party which gained access to a company database. Leaked information included names, passwords, email addresses, and shipping addresses.

A malicious cyberattack led to the personal information of around 27 million Ticketfly account holders being accessed. Customers’ data that was breached included names, addresses, email addresses, and phone numbers.

After the company left more than 19 million voter records exposed online by failing to restore a protective firewall to its server, a ransomware attack was launched by malicious hackers. The newspaper refused to pay the ransom and notified voters of the breach.

In September 2018, the details of almost 11 million users were leaked from an e-marketing company database due to an unsecured server. Names, email addresses, gender details, and physical addresses were reportedly involved. The database was thought to have belonged to a company named SaverSpy.

2017

There were reportedly 853 breaches in 2017, with nine of them making the list.

A massive database of over 1.37 billion email addresses was exposed due to an improperly configured backup. Some of those records contained extra details like names, physical addresses, and IP addresses. The leak also exposed River City Media’s entire operation, including details like business plans, Hipchat logs, accounts, and more. River City Media is one of the largest providers of spam in the world, according to the news report.

A database containing political information on over 198 million US voters was discovered on an Amazon cloud storage system without any form of password protection. The Republican National Committee hired Deep Root Analytics to compile and analyze the data consisting of names, dates of birth, home addresses, phone numbers, and voter registrations. Deep Root Analytics has since taken full responsibility for the breach and implemented improved data security measures.

This breach was announced in 2018 but actually occurred in October 2017 and involved the more than 92 million customers’ data. A security researcher discovered the information, which included email addresses and hashed passwords, on a private server that didn’t belong to MyHeritage.

A security hole in T-Mobile’s website enabled attackers to use a phone number to access account details, including email addresses and a phone’s IMSI network code. Up to 76 million users may have been affected.

The Panera Bread breach began in 2017 but apparently no action was taken until 2018. Names, email addresses, home addresses, and phone numbers of up to 37 million customers was leaked from the site in plain text. The last four digits of customers’ credit card numbers were also involved.

It was revealed that records from a commercial corporate database regarding more than 33 million people were leaked by Dun & Bradstreet. Of the people involved, more than 100,000 worked for the Ministry of Defence and over 70,000 for major financial institutions. While the information wouldn’t be considered sensitive data (it included things like email addresses, job title, and company address), in the wrong hands, it would make executing scams like spear phishing and whaling far simpler.

2016

Over 412 million accounts representing 20 years of user personal data including email addresses, passwords, usernames, the database outline, sites in the network visited by users, site registration data, and much more.

Over 360 million usernames and passwords were stolen from MySpace. The passwords were stored as “unsalted SHA-1 hashes” and were broken using a cracking server capable of running millions of SHA-1 calculations per second.

Between 117 million and 167 million records are believed to have been stolen from the popular business social network, including user email address, hashed passwords, and LinkedIn ID numbers. The breach is said to have started in 2012 but in 2016, the data was up for sale online.

The email addresses and usernames of approximately 85.2 million users of one of the most popular video sharing sites on the internet were accessed in 2016. About one fifth of those accounts also had their hashed passwords copied, but the passwords were encrypted with fairly strong encryption making them difficult to crack or guess.

57 million customers’ and drivers’ names, e-mail addresses, and phone numbers were hacked in 2016. Uber then tried to cover up the breach by paying off the attackers who “promised” to delete the data. News of the breach broke in November 2017.

43.4 million records were stolen, but the means by which this theft was committed is not yet known. It is known that the compromised data contained email addresses, usernames, passwords, and logged IP addresses of users computers.

2015

A publicly available database full of information on 191 million US voters was found on the internet. The database contained names, home addresses, voter IDs, phone numbers, dates of birth, political affiliations, and detailed voting histories since 2000.

Over 80 million records were stolen, consisting of names, birthdays, medical IDs, social security numbers, street addresses, email addresses, and employment and income information, with the breach starting as early as 2014. On June 27th, 2017, Anthem agreed to a $115 million settlement for damages caused by this breach.

The company’s user databases, financial records, and other confidential information were leaked to the public. 37 million user records were stolen and dumped to the DarkNet. The hackers attempted to blackmail Ashley Madison into shutting down the website or the stolen database would be released to the public, exposing all of its users. Ashley Madison refused to comply and the data was released, along with several copycat databases containing bogus information.

This involved 21.5 million entries in a database of government workers and more specifically, anyone who had applied for a security clearance going back to 2000. SSNs and information related to what officials ask during interviews for security clearance were leaked.

15 million records of potential T-Mobile customers that had credit checks done by Experian were breached. The records consisted of names, addresses, social security numbers, dates of birth, and various identification numbers, including passports, driver’s licenses, and military identification numbers.

It appears this was the year for healthcare industry breaches as yet another huge attack hit health insurer, Excellus BlueCross Blue Shield. The information of more than 10 million individuals was leaked.

2014

869 breaches were reported with five over the 10 million record threshold.

This breach actually occurred in 2014, but was not announced or acknowledged by Yahoo until two years after the fact. The database that was accessed contained records of over 500 million of Yahoo’s users, including names, phone numbers, email addresses, hashed passwords, birth dates, and “encrypted or unencrypted security questions and answers.”

An impressive database of over a billion usernames and passwords along with more than 500 million email addresses was discovered on the DarkNet by a security firm. It was apparently the work of a Russian gang of hackers collecting information from hundreds of thousands of websites.

The Home Depot got hit twice in 2014. In February, three employees were suspected of stealing 30,000 records. Then in September, it was hit again for the details of 56 million credit and debit cards due to a hack of the point-of-sales systems in over 2,200 stores in the U.S.

2013

890 data breaches were reported in 2013, five of which hit above the 10 million mark.

More than 1 billion accounts were compromised in 2013, but this breach was not made public until 2016, and was most likely unrelated to the 500 million records stolen in 2014. Yahoo blamed the largest breach in history on hackers working on behalf of a government. The intruders used forged cookies to access user accounts without their passwords.

Up to 110 million payment card records were stolen during the Thanksgiving and Christmas holidays of 2013. This incident was used as a precedent for passing legislation in the U.S. implementing chip card technology.

Up to 50 million member accounts were at risk of being copied, consisting of names, email addresses, dates of birth, and encrypted passwords. At the time, an estimated 29 million people used LivingSocial, many with multiple accounts.

77 million PlayStation Network (PSN) users and more than 24 million Sony Online Entertainment customers were affected during this 2011 hack. Leaked details included names, addresses, email addresses, dates of birth, login credentials for PSN and Qriocity, and PSN IDs and handles. It is suspected that hackers may also have accessed purchase histories, billing addresses and security questions.

Hackers defaced a forum on Steam which prompted an investigation that revealed unauthorized access to a database containing user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information on over 35 million users.

2010

The largest data breach in 2010 was also the only one above 10 million at 13 million records stolen. Hackers were able to penetrate deviantART through the marketing company Silverpop Systems Inc. The exposed database consisted of user names, email addresses and birth dates of all deviantART users.

2009

270 data breaches were reported for 2009, with three of them making our list.

130 million credit cards were stolen through a hack of this credit card processor. The problem was exacerbated by the processor’s delays and inaccurate disclosures regarding the breach. One of the perpetrators was a Secret Service informant and suspect in the previous year’s TJ Stores hack.

76 million detailed records were reported at risk of being exposed when a defective hard drive was sent off for repair without first having its data destroyed. The drive was part of a RAID array of six drives that held an Oracle database filled with veterans’ information. The drive was deemed irreparable and was then sent to another entity for recycling, again, without being erased.

An SQL injection flaw in RockYou’s database exposed their entire list of usernames, email addresses, and passwords–around 32 million records. The passwords were stored in plain text and the database included login credentials for various social networks like Facebook and MySpace.

2008

355 data breaches were reported for 2008 with two of them going over the 10 million mark.

2007

Over 100 million records lost consisting of credit and debit card numbers; merchandise return records containing names and driver’s license numbers, as well as credit card account numbers. Special note: the primary hacker, Albert Gonzalez, appealed his conviction in 2011 on the grounds that he was acting with authorization from the Secret Service. The U.S. government acknowledged that Gonzalez was a key undercover informant for the Secret Service at the time. Mr. Gonzalez blamed his attorneys for not using this information as part of his defense.

2006

482 data breaches were reported this year. Two of those breaches surpassed the 10 million records mark.

A laptop and computer storage device containing sensitive data on 26.5 million veterans were stolen from the home of an unidentified employee of the Department of Veterans Affairs. The information consisted of names, social security numbers, dates of birth, phone numbers, and addresses on all American veterans discharged since 1975. The laptop and storage device were recovered almost two months later. According to an FBI investigation, the data had not been copied. In spite of this, the VA was still held accountable for ineffectual data security policies and neglecting to take proper security precautions regarding such sensitive data.

Over 17 million records were posted online containing names, phone numbers, addresses, email addresses, IP addresses, login credentials, credit card types, and purchase amounts. It is unclear as to whether the breach was the work of a dishonest insider or malicious software injected into iBill’s systems.

2005

136 data breaches reported for the year with only one of them over our minimum of 10 million.

40 million credit card accounts were exposed due to a security breach that occurred at a third-party vendor. The information exposed included names, card numbers and card security codes. CardSystems filed for bankruptcy in May of 2006. In 2009 it was revealed that CardSystems stored unencrypted credit card information on its servers.

2004

Funny enough, the only data breach that we have information on in 2004 was also a rather major one.

A former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to a man in Las Vegas who began spamming the list with an advertisement for an offshore gambling website. Even the judge involved in the case admitted to canceling his AOL email account because of all the spam.

Largest non-US breaches

There have also been some pretty massive breaches in various other parts of the globe over the years. Here are some of the most prominent:

A data breach could have potentially risked the data of all 1.1 billion citizens of India. In early January, anonymous sellers on WhatsApp were offering access to any Aadhaar number and its associated details, including name, address, phone number, photo, and email address. The information was being sold with the option of software for printing ID cards, presumably for use in identity theft and other related crimes.

In 2017, Iranian hackers are accused of breaking into an ultra secure instant messaging service by compromising a dozen accounts. The hack exposed 15 million users phone numbers to the hackers. This will allow the hackers to add new devices to user’s account and give those new devices access to chat histories as well as new messages.

This Panamanian law firm specializes in setting up anonymous offshore companies. The leak is of 11.5 million encrypted documents like emails, PDF files, photos, and excerpts from an internal database. The main purpose of this collection appears to be hiding the true owners of several of the offshore companies sold by Mossack Fonseca. Given that a lot of the information stored in these files includes evidence of illegal activities, the wish for anonymity is rather obvious.

A database was discovered online containing 49.6 million entries–the entire Turkish citizenship–with names, national IDs, parents names, gender, city of birth, date of birth, ID registration city and district, and their full address.

A database containing every registered voter in the Philippines, some 55 million people, was leaked online. The leak came on the heels of a defacement of the Philippines’ Commission on Elections website.

22 million user accounts were put at risk when an attempt to access administrative portions of Yahoo Japan’s servers was detected. No personally identifiable information was stolen, according to Yahoo.

Court Ventures was in the business of selling off credit information to a Vietnamese identity theft service, resulting in over 200 million records sold over several years. These records included financial data, credit status, social security numbers, and bank information.

Players of Diablo III, Starcraft II and World of Warcraft, some 14 million gamers, were informed of a data breach that put their user accounts on Blizzard.net at risk. Encrypted passwords, the answers to security questions and email addresses of users outside of China were stolen in the breach.

Computer disks containing confidential information on 25 million recipients of child benefits were lost in the UK. The disks were lost in transit from their headquarters in Newcastle to an insurer’s headquarters in Edinburgh.

Thieves made off with a storage device containing names, addresses, cell phone numbers, some birth dates, and some email addresses for some high profile German citizens. Luckily the stolen device did not contain any financial details like credit cards or bank accounts.

The big unknown

It should be noted that some reported breaches affect an unknown number of customers, so there may be other breaches that have topped the 10 million records mark. Plus, breaches may go undiscovered, entirely or for a period of time.

The new General Data Protection Regulation (GDPR) in the EU includes a requirement that companies report data breaches (that meet certain criteria) within 72 hours. While there is a California state law that pertains to data breach reporting, there is no federal legislation in place requiring mandatory reporting of data breach details. However, not reporting a breach can lead to lawsuits from affected users, so most companies do report when they discover they have been hacked or lose some information.

Although, the amount of information reported is entirely left up to the reporting company, even to the point of just admitting that there was a breach with no details as to what data or even how much data was at risk of being accessed by unauthorized individuals. According to Privacy Rights Clearinghouse, thousands of companies have opted not to report how much of the data entrusted to them has been leaked or even how many of their customers may be at risk.

Now factor in the knowledge that some of these companies are collecting information without first informing subjects of their data mining that their information is being loaded into a database. Any retail outlet that a person walks into collects information on what they look at, pick up, purchase, and leave their store with. Match that data to facial recognition from the security cameras, as well as the information received from the point-of-sale system, and they have an identity to attach to that data entry.

Just about every retail outlet now has some form of membership that customers are encouraged to voluntarily sign up for with offers of discounts on fuel, points toward in-store savings, customized digital coupons, and other similar incentives. All of these are not, in fact, free. You are selling your personally identifiable information to these companies in exchange for the perks attached to the store’s membership system.

What can you do?

There are some things that you can do to minimize the damage or even prevent your information getting into the wrong hands. Things like using an online anonymity tool (such as a VPN), installing anti-virus software, using strong passwords, and enabling two-factor authentication can help. In the case of the latter, if the platform you’re trying to secure doesn’t offer two-factor authentication, you may be able to use a third-party two-factor authentication app, such as DUO Mobile and Google Authenticator.

On the more extreme end, there is always the option of contacting any company you have entrusted your information with. You can ask them about what they have in place for not only preventing data breaches, but what actions they take when they become aware of a leak.

If you want to check to see if your information has been involved in a data breach, a handy tool is the have I been pwned? website

Have you experienced any side effects, or even direct effects of a data breach? How did you recover? Leave your comments below along with any tips you might have for other readers.